Computer-based encryption techniques often require generating a cryptographic transform for use only by two parties to a communication session. Such cryptographic transforms may be used as pairwise keys that are applied to message-authentication codes, encryption, or for other purposes. For example, such a cryptographic transform is needed to establish an encrypted virtual private network (VPN) communication session between two network devices, such as routers.
In one approach for generating cryptographic transforms for use by only two parties, a certificate authority (CA) that forms a part of a public key infrastructure (PKI) in a network generates digital certificates. Each party to a secure communication session receives a digital certificate. Using the digital certificates, one party can authenticate itself to another party, and the parties can then generate and exchange secure session keys. While PKI approaches are secure and scalable, few networks presently use them, because of the perceived complexity of installing and maintaining the CA, and the high cost of commercial CA products. While some CAs cost less and are easier to install and maintain, they are not generally accepted for a variety of business reasons.
Another past approach involves distributing pre-shared keys to all parties that may potentially participate in secure communications. A pre-shared key is a key that is known to all (usually two) parties to an encrypted communication. They can be used in symmetric encryption and decryption algorithms, which are computationally more efficient than the public-key encryption and decryption techniques used in PKI, or to generate a hashed message authentication code (HMAC). When used correctly, such pre-shared group keys can provide a valid and secure system. However, pre-shared keys often are distributed manually, which is tedious and not scalable to fully meshed networks containing thousands of nodes.
To address these problems, some networks use one key for all parties in a particular security domain; such keys are termed pre-shared group keys, which serve as authenticators in authenticated key exchange protocols. For example, using pre-shared group keys, when routers in a particular security domain need to set up a VPN, the routers use the pre-shared group keys to authenticate each other prior to negotiating a session key for encrypting communications between themselves. This approach presents problems when a key is compromised and needs to be revoked, expires, or needs to be changed for any other reason. Changing a pre-shared group key requires contacting all parties that have the group key to provide a new group key. In a complex enterprise network comprising thousands of routers, group key revocation potentially requires sending management instructions to all the routers, which is costly, time-consuming, and undesirable. Automated management of pre-shared authentication keys is preferable.
Further, pre-shared keys also are often selected by a network administrator in a manner that does not result in acceptable levels of security. For example, selecting keys that are derived from dictionary words, or that are otherwise non-random, greatly reduces the security of the system. There is a need for a way to automatically generate highly secure keys.
Past group key approaches also are not directly applicable to generating a cryptographic transform only for use by two parties. In group key approaches, all group members have the same shared symmetric cryptographic key for encryption or authentication of session data, and any group member can send a message to any other group member, or to multiple group members using multicast techniques. Although two group members may have a need to establish a private security association among only them, in past approaches, setting up pairwise session keys has required use of asymmetric cryptographic techniques, which are computationally expensive to perform, and which introduce significant latency into packet transmission. It would be useful to have a way to use group key principles to set up pairwise session keys among peer members in a group using more computationally efficient symmetric cryptographic techniques.
Further, when a cryptographic transform is needed for two-party or peer-to-peer communication, the fact that the two parties often are members of a larger group is of interest. For example, two routers that participate in a particular VPN may be members of a larger group of all routers in a network, any of which may potentially participate in one or more other VPNs. Groups often define access control properties of group members that may be useful in establishing pairwise keys.
Group Domain of Interpretation (GDOI) is a mechanism used with Internet Key Exchange (IKE) that provides a means for distributing and managing keys for groups of mutually trusted systems. However, distributing a group key using GDOI entails as much complex processing as IKE to set up a Security Association (SA) at each of the parties to a group. Therefore, in past approaches GDOI has been used only for distributing group keys on a relatively infrequent basis, and not for distributing pairwise keys for use in VPNs and other two-party communication mechanisms whenever there is a need to establish one. Nevertheless, a network may benefit from the capability to set up two-party, peer-to-peer secure communication among members of the group even based on the group keys have already been distributed. These benefits include automated management of pre-shared entity-authentication keys for IKE or other key-establishment protocols. The benefits also include reduced computation and message latency for IPsec ESP or other data-security protocols.
Based on the foregoing, there is a clear need for an improved mechanism for generating pairwise cryptographic transforms for use in secure communication sessions among two parties who are members of a group that has a previously established group shared secret or group key.
There is a particular need for a mechanism for generating pairwise cryptographic transforms for use in secure communication sessions among two parties that can automatically generate highly secure pairwise keys based on previously established group shared secrets or group keys.
There is a need for such a mechanism that is scalable for use with thousands of parties, that is easy to implement, and that provides practical key management, including easy revocation of keys and deletion or addition of group members.
The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.